[Xymon] precedence of rules in analysis.cfg

Gautier Begin gbegin at csc.com
Wed Aug 13 10:47:01 CEST 2014 

Juergen,

The file is read from top to down. The process stops to read the file when 
it finds the first feature that matches.

In your exemple, if a disk data comes with the hostname Win32Server on the 
disk C, first thresholds are used (C 85 90).
Any server of class win32 on data disk on the C drive will use the third 
thresholds (80 90)
In any other cases for disk data, the default thresholds will be used (90 
95)

Cordialement, Regards,Mit freundlichen Grüßen,

Gautier BEGIN




From:   Juergen Fischer/DEU/CSC at CSC
To:     xymon at xymon.com
Date:   08/13/2014 09:44 AM
Subject:        [Xymon] precedence of rules in analysis.cfg
Sent by:        "Xymon" <xymon-bounces at xymon.com>



Please can someone help me regarding the precedence of rules in 
analysis.cfg? 

analysis.cfg example to illustrate my questions: 

#----------------------------------------------------------- 

HOST=Win32Server 
        DISK        C 85 90 

DEFAULT 
        DISK        * 90 95 

CLASS=win32 
        DISK        C 80 90 
        LOG        %.*                                  %error 
COLOR=yellow 
        LOG        eventlog:Application        %warning COLOR=yellow  
IGNORE="%warning .* Symantec AntiVirus .* Could not scan .* files inside 
.* due to extraction errors encountered by the Decomposer 
Engines\.Application has encountered an error" 

#----------------------------------------------------------- 

Assumption: Host 'Win32Server' is a CLASS=win32 server running in central 
mode 

DISK questions: 

1. Does Win32Server's C disk go yellow at 85, 90 or 95% ? 

2. Is this because of the ORDER of the applying rules (first HOST, then 
DEFAULT, then CLASS) 
   or is it because HOST is more specific then CLASS and CLASS is more 
specific then DEFAULT? 

3. Does Xymon at all try to find further possibly matching DISK rules 
after the first  matching 
   rule - underneath HOST in this example - has been encountered? 

LOG questions: 

1. If an eventlog message happens to match the 1st of the above listed LOG 
rules 
   (because it contains 'error'), will the second rule be evaluated at 
all? 

2. And if the 2nd rule should get evaluated, which of the 2 rules would 
take precedence?
  (Assuming both rules logically match, but have conflicting effects 
because of the IGNORE 
   - i.e. a line that matches the IGNORE and hence has also the word 
'error' in it. 
   Will it be ignored, because the 2nd rule applies? Or will it show 
yellow, because 
   the 1st rule applies? And why is this so? 

3. The answers to the 2 prior questions will probably already have 
answered this one: 
   Should specific LOG rules appear before or after the more general ones 
to give to give 
   the first match precedence? 

Many thanks
Jürgen_______________________________________________
Xymon mailing list
Xymon at xymon.com
http://lists.xymon.com/mailman/listinfo/xymon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140813/f2542a7d/attachment.html>

More information about the Xymon mailing list